deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Content reorg and rebranding changes.

Browse Source
This commit is contained in:
Andrea Bichsel
2018-08-09 13:02:07 -07:00
parent f39da8158e
commit 70fb7062d0
5 changed files with 121 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
View File

@ -14,28 +14,20 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Configure end-user interaction with Windows Defender Antivirus
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure end-user interaction with antivirus
**Manageability available with**
- Group Policy
You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
You can configure how users of the endpoints on your network can interact with antivirus.
This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
This includes whether they see the antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
## In this section
Topic | Description
---|---
[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
[Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints

30
windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
View File

@ -14,44 +14,32 @@ ms.author: v-anbic
ms.date: 07/27/2017
---
# Configure and validate exclusions for Windows Defender AV scans (client)
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
# Configure and validate exclusions for antivirus
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center
You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus.
You can exclude certain files, folders, processes, and process-opened files from antivirus scans.
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
>[!WARNING]
>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
>Defining exclusions lowers the protection offered by antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## In this section
Topic | Description
---|---
[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location
[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process
[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions
[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from antivirus scans based on their file extension, file name, or location
[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | Exclude files from scans that have been opened by a specific process
[Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined server role. You can also add custom exclusions.

71
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure and test Windows Defender Antivirus network connections
description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service.
keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
title: Configure and validate antivirus network connections
description: Configure and test your connection to the antivirus cloud protection service.
keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,38 +14,29 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Configure and validate network connections for Windows Defender Antivirus
# Configure and validate antivirus network connections
**Applies to:**
- Windows 10 (some instructions are only applicable for Windows 10, version 1703 or later)
**Audience**
- Enterprise security administrators
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
To ensure antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Fast learning (including block at first sight)
>- Potentially unwanted application blocking
## Allow connections to the Windows Defender Antivirus cloud
## Allow connections to the antivirus cloud service
The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.
The antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
>The antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
@ -59,10 +50,10 @@ The following table lists the services and their associated URLs that your netwo
</tr>
<tr style="vertical-align:top">
<td>
Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)
Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)
</td>
<td>
Used by Windows Defender Antivirus to provide cloud-delivered protection
Used by antivirus to provide cloud-delivered protection
</td>
<td>
*.wdcp.microsoft.com*<br />
@ -85,7 +76,7 @@ Signature and product updates
Definition updates alternate download location (ADL)
</td>
<td>
Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
Alternate location for antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
</td>
<td>
*.download.microsoft.com
@ -122,7 +113,7 @@ http://www.microsoft.com/pki/certs
Symbol Store
</td>
<td>
Used by Windows Defender Antivirus to restore certain critical files during remediation flows
Used by antivirus to restore certain critical files during remediation flows
</td>
<td>
https://msdl.microsoft.com/download/symbols
@ -133,36 +124,35 @@ https://msdl.microsoft.com/download/symbols
Universal Telemetry Client
</td>
<td>
Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes
Used by Windows to send client diagnostic data; antivirus uses this for product quality monitoring purposes
</td>
<td>
This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <ul><li>vortex-win.data.microsoft.com</li><li>settings-win.data.microsoft.com</li></ul></td>
</tr>
</table>
<a id="validate"></a>
## Validate connections between your network and the cloud
After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected.
After whitelisting the URLs listed above, you can test if you are connected to the antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud:
Use the following argument with the antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the antivirus cloud service:
```DOS
MpCmdRun -ValidateMapsConnection
```
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703.
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
See [Mange antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
**Attempt to download a fake malware file from Microsoft:**
You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud.
You can download a sample file that antivirus will detect and block if you are properly connected to the cloud.
Download the file by visiting the following link:
- http://aka.ms/ioavtest
@ -170,9 +160,9 @@ Download the file by visiting the following link:
>[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning notification from Windows Defender Antivirus:
If you are properly connected, you will see a warning antivirus notification:
![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
![Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
If you are using Microsoft Edge, you'll also see a notification message:
@ -180,7 +170,7 @@ If you are using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you are using Internet Explorer:
![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
![Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app:
@ -195,17 +185,16 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png)
>[!NOTE]
>Versions of Windows 10 before version 1703 have a different user interface. See the [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
>Versions of Windows 10 before version 1703 have a different user interface. See [Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
>[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
- [Run an antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/)

63
windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure notifications for Windows Defender Antivirus
description: Configure and customize notifications from Windows Defender AV.
keywords: notifications, defender, endpoint, management, admin
title: Configure antivirus notifications
description: Configure and customize antivirus notifications.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,22 +16,14 @@ ms.date: 04/30/2018
# Configure the notifications that appear on endpoints
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- Windows Defender Security Center app
In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
@ -40,7 +32,7 @@ You can also configure how standard notifications appear on endpoints, such as n
You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
> [!NOTE]
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**.
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
> [!IMPORTANT]
> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
@ -59,59 +51,54 @@ You can configure the display of additional notifications, such as recent threat
**Use Group Policy to disable additional notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
3. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
6. Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Configure standard notifications on endpoints
You can use Group Policy to:
- Display additional, customized text on endpoints when the user needs to perform an action
- Hide all notifications on endpoints
- Hide reboot notifications on endpoints
Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
Hiding notifications can be useful in situations where you can't hide the entire antivirus interface. See [Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
See the [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) topic for instructions to add custom contact information to the notifications that users see on their machines.
See [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
**Use Group Policy to hide notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
**Use Group Policy to hide reboot notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with antivirus](configure-end-user-interaction-windows-defender-antivirus.md)

98
windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: process, exclusion, files, scans
keywords: antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,26 +16,16 @@ ms.date: 07/10/2018
# Configure exclusions for files opened by processes
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center
You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV.
You can exclude files that have been opened by specific processes from antivirus scans.
This topic describes how to configure exclusion lists for the following:
@ -47,47 +37,52 @@ Any file on the machine that is opened by any process with a specific file name
Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:<ul><li>c:\test\sample\test.exe</li><li>c:\test\sample\test2.exe</li><li>c:\test\sample\utility.exe</li></ul>
Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
When you add a process to the process exclusion list, antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans.
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
<a id="gp"></a>
**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to exclude files that have been opened by specified processes from scans:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Process Exclusions** setting and add the exclusions:
4. Double-click **Process Exclusions** and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
2. Under the **Options** section, click **Show...**.
3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
<a id="ps"></a>
**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
@ -106,20 +101,16 @@ Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove items from the list | `Remove-MpPreference`
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:
```PowerShell
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with antivirus.
**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
@ -132,26 +123,17 @@ ExclusionProcess
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="man-tools"></a>
**Use Configuration Manager to exclude files that have been opened by specified processes from scans:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:**
See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the process exclusion list
The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
@ -166,20 +148,18 @@ Wildcard | Use | Example use | Example matches
? (question mark) | Not available | \- | \-
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>
<a id="review"></a>
## Review the list of exclusions
You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Retrieve the status of all antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
**Review the list of exclusions alongside all other Windows Defender AV preferences:**
**Review the list of exclusions alongside all other antivirus preferences:**
Use the following cmdlet:
@ -187,9 +167,7 @@ Use the following cmdlet:
Get-MpPreference
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with antivirus.
**Retrieve a specific exclusions list:**
@ -200,18 +178,12 @@ $WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with antivirus.
## Related topics
- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)